diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-08-05 20:21:58 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-08-05 20:22:25 +0200 |
| commit | 124bf6e8b9d202a4fd00d0790d3d546a2a90cedf (patch) | |
| tree | 35e2261c59dd43261aa31e69d944ad24648b71e4 | |
| parent | e2bd64a7068f0969f002cff1d1db87a7793a8795 (diff) | |
| download | gnutls-tmp-switch-to-pkcs8-format.tar.gz | |
certtool: switch to output with PKCS#8 format by defaulttmp-switch-to-pkcs8-format
This allows to have a consistent output between all the private
key types.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| -rw-r--r-- | src/certtool-args.def | 2 | ||||
| -rw-r--r-- | src/certtool-common.c | 13 | ||||
| -rw-r--r-- | src/certtool-common.h | 9 | ||||
| -rw-r--r-- | src/certtool.c | 14 |
4 files changed, 23 insertions, 15 deletions
diff --git a/src/certtool-args.def b/src/certtool-args.def index bc1bf5f5da..13162dfb0b 100644 --- a/src/certtool-args.def +++ b/src/certtool-args.def @@ -217,6 +217,8 @@ flag = { flag = { name = pkcs8; value = 8; + enabled; + disable = "no"; descrip = "Use PKCS #8 format for private keys"; doc = ""; }; diff --git a/src/certtool-common.c b/src/certtool-common.c index 4d876976dc..a7f55ace28 100644 --- a/src/certtool-common.c +++ b/src/certtool-common.c @@ -322,7 +322,7 @@ load_x509_private_key(int mand, common_info_st * info) app_exit(1); } - if (info->pkcs8) { + if (info->ask_pass) { pass = get_password(info, &flags, 0); ret = gnutls_x509_privkey_import_pkcs8(key, &dat, @@ -1291,7 +1291,7 @@ print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t k switch_to_pkcs8_when_needed(cinfo, key, gnutls_x509_privkey_get_pk_algorithm(key)); - if (!cinfo->pkcs8) { + if (cinfo->no_pkcs8) { size = lbuffer_size; ret = gnutls_x509_privkey_export(key, cinfo->outcert_format, @@ -1305,8 +1305,13 @@ print_private_key(FILE *outfile, common_info_st * cinfo, gnutls_x509_privkey_t k unsigned int flags = 0; const char *pass; - pass = get_password(cinfo, &flags, 0); - flags |= cipher_to_flags(cinfo->pkcs_cipher); + if (cinfo->ask_pass) { + pass = get_password(cinfo, &flags, 0); + flags |= cipher_to_flags(cinfo->pkcs_cipher); + } else { + pass = NULL; + flags |= GNUTLS_PKCS_PLAIN; + } size = lbuffer_size; ret = diff --git a/src/certtool-common.h b/src/certtool-common.h index 3973f1a28a..6092cc6c43 100644 --- a/src/certtool-common.h +++ b/src/certtool-common.h @@ -38,10 +38,10 @@ typedef struct common_info { const char *secret_key; const char *privkey; const char *pubkey; - int pkcs8; int incert_format; int outcert_format; const char *cert; + int no_pkcs8; const char *request; const char *crl; @@ -51,6 +51,7 @@ typedef struct common_info { unsigned bits; const char *sec_param; const char *pkcs_cipher; + int ask_pass; const char *password; int null_password; int empty_password; @@ -83,14 +84,14 @@ typedef struct common_info { static inline void switch_to_pkcs8_when_needed(common_info_st *cinfo, gnutls_x509_privkey_t key, unsigned key_type) { - if (cinfo->pkcs8) + if (!cinfo->no_pkcs8) return; if ((key_type == GNUTLS_PK_RSA_PSS || key_type == GNUTLS_PK_EDDSA_ED25519)) { if (cinfo->verbose) fprintf(stderr, "Assuming --pkcs8 is given; %s private keys can only be exported in PKCS#8 format\n", gnutls_pk_algorithm_get_name(key_type)); - cinfo->pkcs8 = 1; + cinfo->no_pkcs8 = 0; if (cinfo->password == NULL) cinfo->password = ""; } @@ -98,7 +99,7 @@ void switch_to_pkcs8_when_needed(common_info_st *cinfo, gnutls_x509_privkey_t ke if (gnutls_x509_privkey_get_seed(key, NULL, NULL, 0) != GNUTLS_E_INVALID_REQUEST) { if (cinfo->verbose) fprintf(stderr, "Assuming --pkcs8 is given; provable private keys can only be exported in PKCS#8 format\n"); - cinfo->pkcs8 = 1; + cinfo->no_pkcs8 = 0; if (cinfo->password == NULL) cinfo->password = ""; } diff --git a/src/certtool.c b/src/certtool.c index a57e324449..5bb6414978 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1371,7 +1371,10 @@ static void cmd_parser(int argc, char **argv) if (HAVE_OPT(LOAD_PUBKEY)) cinfo.pubkey = OPT_ARG(LOAD_PUBKEY); - cinfo.pkcs8 = HAVE_OPT(PKCS8); + /* The --pkcs8 option was being used to encrypt private keys. + * Let it be for backwards compatibility */ + cinfo.ask_pass = HAVE_OPT(PKCS8); + cinfo.no_pkcs8 = !(ENABLED_OPT(PKCS8)); cinfo.incert_format = incert_format; cinfo.outcert_format = outcert_format; @@ -1403,9 +1406,9 @@ static void cmd_parser(int argc, char **argv) if (HAVE_OPT(PASSWORD)) { cinfo.password = OPT_ARG(PASSWORD); - if (HAVE_OPT(GENERATE_PRIVKEY) && cinfo.pkcs8 == 0) { - fprintf(stderr, "Assuming PKCS #8 format...\n"); - cinfo.pkcs8 = 1; + if (HAVE_OPT(GENERATE_PRIVKEY) && cinfo.no_pkcs8) { + fprintf(stderr, "A private key can be encrypted only in PKCS#8 format...\n"); + app_exit(1); } } @@ -1763,9 +1766,6 @@ void privkey_info(common_info_st * cinfo) fprintf(stderr, "import error: %s\n", gnutls_strerror(ret)); app_exit(1); } - /* On this option we may import from PKCS #8 but we are always exporting - * to our format. */ - cinfo->pkcs8 = 0; print_private_key(outfile, cinfo, key); |